Data Processor Terms for Consultants
Last Updated: 22 May 2019
In these Terms, the following terms shall have the following meanings:
- "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law;
- "Applicable Data Protection Law" shall mean: the EU General Data Protection Regulation (Regulation 2016/679);
- "the Services", "Supercell", "the Consultant", shall have the meanings set out in the Consulting Agreement between Supercell OY and the Consultant which incorporates these Terms.
- Relationship of the parties: Supercell (the controller) appoints the Consultant as a processor to process personal data relating to its end users which is processed in the course of providing the Services (the "Data") for the purposes described in the Consulting Agreement (or as otherwise agreed in writing by the parties) (the "Permitted Purpose"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
- International transfers: the Consultant shall not transfer the Data (or allow the Data to be transferred) outside of the European Economic Area ("EEA") without Supercell's prior written consent, which, without prejudice to Supercell's right to refuse or prescribe any other conditions, shall be conditional upon the Consultant ensuring, and demonstrating to the reasonable satisfaction of Supercell, that the conditions under Applicable Data Protection Law are satisfied. For example, where appropriate the Consultant may enter into standard data protection contractual clauses pursuant to Article 46(2)(c) of the Applicable Data Protection Law.
- Confidentiality of processing: The Consultant shall (i) only process the Data itself, (ii) shall do so in the strictest confidence and in accordance with the confidentiality provisions in the Consulting Agreement and (iii) shall not authorise any other person to process the Data.
- Security: The processor shall implement technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").
- Subcontracting: the Consultant shall not engage any third party subprocessors to process the Data without Supercell's prior written consent, which, without prejudice to Supercell's right to refuse or prescribe any other conditions, shall be conditional upon the Consultant entering into appropriate terms including in relation to data protection matters, which are appropriate under Applicable Data Protection Law and which are reasonably satisfactory to Supercell.
- Cooperation and data subjects' rights and Data Protection Impact Assessment: The Consultant shall provide reasonable and timely assistance to Supercell (at Supercell's expense):
- to enable Supercell to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to the Consultant, the Consultant shall promptly inform Supercell providing full details of the same; and
- in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
- Security incidents: If it becomes aware of a confirmed Security Incident, the Consultant shall inform Supercell without undue delay and shall provide reasonable information and cooperation to Supercell so that it can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. The Consultant shall also take any such reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Supercell informed of all material developments in connection with the Security Incident.
- Deletion or return of Data: Upon termination or expiry of the Consulting Agreement, the Consultant shall (at Supercell's election):
- destroy or return to Supercell all Data in its possession or control; or
- allow an authorised representative of Supercell to have reasonable access to the systems and storage devices used by the Consultant in providing the Services for the purpose of destroying or returning all Data in the Consultant's possession or control.
- Audit: The Consultant shall also respond to any written audit questions submitted to it by Supercell and co-operate with any request to audit its practices more generally (which may include access to premises, systems or software used by the Consultant to process the Data, provided that Supercell shall use such access only for the purposes of assessing the Consultant's compliance with these Data Processor Terms when processing the Data).